Gemmy Opublikowano 29 Grudnia 2008 Zgłoś Opublikowano 29 Grudnia 2008 Jak w temacie Blizzard zawiesza mi konto (praktycznie co 24h),twierdząc że posiadam jakiś syf w postaci trojanow itp.. Sys po formacie,po kilku krotnych skanach nod32,kav,mks:d i nic niby czysto. » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - HJT LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:08:10, on 2008-12-29 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\gemmy\Pulpit\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Brightness Controller.lnk = C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- End of file - 4160 bytes » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - SR LOG "Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"] "vamsoft" = "C:\WINDOWS\system32\vamsoft.exe" [null data] "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" ["Advanced Micro Devices, Inc."] "egui" = ""C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice" ["ESET"] "NodLogin" = "C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS] "{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager" -> {HKCU...CLSID} = "Desktop Manager" \InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data] "{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy" -> {HKCU...CLSID} = "CD Burn Slideshow Hook" \InProcServer32\(Default) = "C:\WINDOWS\system32\slideshow.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."] "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\gemmy\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayCDAudio" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["mpc-hc@Sourceforge"] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayDVDMovie" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["mpc-hc@Sourceforge"] MPCPlayMusicFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayMusicFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["mpc-hc@Sourceforge"] MPCPlayVideoFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayVideoFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["mpc-hc@Sourceforge"] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] Startup items in "gemmy" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\gemmy\Menu Start\Programy\Autostart "Brightness Controller" -> shortcut to: "C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe" ["NEC-Mitsubishi Display Electronics America Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"] Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS] ---------- (launch time: 2008-12-29 20:11:29) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 4 seconds. ---------- (total run time: 23 seconds)"Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"] "vamsoft" = "C:\WINDOWS\system32\vamsoft.exe" [null data] "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" ["Advanced Micro Devices, Inc."] "egui" = ""C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice" ["ESET"] "NodLogin" = "C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys" -> {HKCU...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS] "{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager" -> {HKCU...CLSID} = "Desktop Manager" \InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data] "{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy" -> {HKCU...CLSID} = "CD Burn Slideshow Hook" \InProcServer32\(Default) = "C:\WINDOWS\system32\slideshow.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."] "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\gemmy\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayCDAudio" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["mpc-hc@Sourceforge"] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayDVDMovie" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["mpc-hc@Sourceforge"] MPCPlayMusicFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayMusicFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["mpc-hc@Sourceforge"] MPCPlayVideoFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayVideoFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["mpc-hc@Sourceforge"] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] Startup items in "gemmy" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\gemmy\Menu Start\Programy\Autostart "Brightness Controller" -> shortcut to: "C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe" ["NEC-Mitsubishi Display Electronics America Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"] Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS] ---------- (launch time: 2008-12-29 20:11:29) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 4 seconds. ---------- (total run time: 23 seconds) Jeżeli ktoś wychwyci jakiś błąd to będę wdzięczny. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 29 Grudnia 2008 Zgłoś Opublikowano 29 Grudnia 2008 Podlacz zainfekowane nosniki (pendrive'y itp) i uzyj Flash Disinfector, nastepnie daj log z combofix. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Gemmy Opublikowano 29 Grudnia 2008 Zgłoś Opublikowano 29 Grudnia 2008 Uczyniłem ,jak kazałeś i to log po skanie » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - Cfix LOG ComboFix 08-12-28.04 - gemmy 2008-12-29 21:59:09.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.3326.2775 [GMT 1:00] Uruchomiony z: c:\documents and settings\gemmy\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania * Resident AV is active . ((((((((((((((((((((((((( Pliki utworzone od 2008-11-28 do 2008-12-29 ))))))))))))))))))))))))))))))) . 2008-12-28 11:15 . 2008-12-28 11:15 <DIR> d-------- c:\program files\K-Lite Codec Pack 2008-12-28 11:15 . 2007-09-04 17:56 164,352 --a------ c:\windows\system32\unrar.dll 2008-12-28 11:15 . 2008-07-30 20:09 38 --a------ c:\windows\avisplitter.ini 2008-12-28 11:03 . 2008-12-28 11:03 85,504 -r-hs---- c:\windows\system32\vbsdfe1.dll 2008-12-27 21:57 . 2008-12-27 21:57 <DIR> d-------- c:\program files\NEC-Mitsubishi 2008-12-27 21:57 . 2008-12-27 21:57 95,642 --a------ c:\windows\Brightness Controller Uninstaller.exe 2008-12-27 21:36 . 2008-12-29 20:27 <DIR> d-------- c:\program files\Foobar_0.9.4.5 2008-12-27 14:27 . 2008-12-27 14:27 <DIR> d-------- c:\program files\FileZilla FTP Client 2008-12-27 14:27 . 2008-12-27 14:37 <DIR> d-------- c:\documents and settings\gemmy\Dane aplikacji\FileZilla 2008-12-27 14:04 . 2008-12-27 14:04 <DIR> d-------- c:\program files\Trend Micro 2008-12-27 13:58 . 2008-12-28 17:02 117,640 --a------ C:\test.htm 2008-12-27 13:49 . 2008-12-27 13:49 <DIR> d-------- c:\program files\ESET 2008-12-27 13:43 . 2008-12-27 13:43 <DIR> d-------- c:\documents and settings\gemmy\Dane aplikacji\DAEMON Tools Pro 2008-12-27 13:43 . 2008-12-27 13:43 <DIR> d-------- c:\documents and settings\gemmy\Dane aplikacji\DAEMON Tools 2008-12-27 13:42 . 2008-12-27 13:42 <DIR> d-------- c:\program files\DAEMON Tools Lite 2008-12-27 13:42 . 2008-12-27 13:42 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\DAEMON Tools Lite 2008-12-27 13:40 . 2008-12-27 13:40 <DIR> d-------- c:\documents and settings\gemmy\Dane aplikacji\DAEMON Tools Lite 2008-12-27 13:40 . 2008-12-27 13:40 717,296 --a------ c:\windows\system32\drivers\sptd.sys 2008-12-27 13:31 . 2008-12-27 13:31 0 --a------ c:\windows\nsreg.dat 2008-12-27 13:17 . 2008-12-27 13:17 <DIR> d-------- c:\documents and settings\gemmy\Dane aplikacji\ATI 2008-12-27 13:17 . 2008-12-27 13:17 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\ATI 2008-12-27 13:17 . 2008-12-27 13:17 0 --a------ c:\windows\ativpsrm.bin 2008-12-27 13:15 . 2008-12-27 13:16 <DIR> d-------- c:\program files\ATI Technologies 2008-12-27 13:15 . 2008-12-01 14:35 593,920 --------- c:\windows\system32\ati2sgag.exe 2008-12-27 13:14 . 2008-12-27 13:14 <DIR> d-------- C:\ATI 2008-12-27 13:07 . 2008-12-28 11:03 115,259 -r-hs---- c:\windows\system32\vamsoft.exe 2008-12-27 13:07 . 2008-12-29 17:34 85,504 -r-hs---- c:\windows\system32\vbsdfe0.dll 2008-12-27 13:06 . 2008-12-29 00:23 1,080 --a------ c:\windows\system32\settingsbkup.sfm 2008-12-27 13:06 . 2008-12-29 00:23 1,080 --a------ c:\windows\system32\settings.sfm 2008-12-27 13:04 . 2008-12-27 13:05 <DIR> d----c--- c:\windows\system32\DRVSTORE 2008-12-27 13:04 . 2008-12-27 13:04 <DIR> d-------- c:\program files\Intel 2008-12-27 13:04 . 2008-12-29 21:57 4,958,588 --a------ c:\windows\{00000006-00000000-00000002-00001102-00000004-20021102}.BAK 2008-12-27 13:04 . 2008-12-27 13:03 53,248 --a------ c:\windows\system32\CSVer.dll 2008-12-27 13:04 . 2008-12-29 00:23 31,056 --a------ c:\windows\system32\BMXStateBkp-{00000006-00000000-00000002-00001102-00000004-20021102}.rfx 2008-12-27 13:04 . 2008-12-29 00:23 31,056 --a------ c:\windows\system32\BMXState-{00000006-00000000-00000002-00001102-00000004-20021102}.rfx 2008-12-27 13:04 . 2008-12-29 00:23 30,528 --a------ c:\windows\system32\BMXCtrlState-{00000006-00000000-00000002-00001102-00000004-20021102}.rfx 2008-12-27 13:04 . 2008-12-29 00:23 30,528 --a------ c:\windows\system32\BMXBkpCtrlState-{00000006-00000000-00000002-00001102-00000004-20021102}.rfx 2008-12-27 13:04 . 2008-12-29 00:23 11,564 --a------ c:\windows\system32\DVCState-{00000006-00000000-00000002-00001102-00000004-20021102}.rfx . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-27 12:44 504,832 ----a-w c:\windows\system32\winlogon.exe 2008-12-27 12:15 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-27 12:14 --------- d-----w c:\program files\Common Files\InstallShield 2008-12-27 11:51 --------- d-----w c:\program files\Gadu-Gadu 2008-12-27 11:50 --------- d-----w c:\program files\Creative 2008-12-27 11:49 --------- d-----w c:\documents and settings\gemmy\Dane aplikacji\Creative 2008-12-27 11:21 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\ESET 2008-12-27 11:03 635,337 ----a-w c:\windows\unins000.exe 2008-12-27 11:03 --------- d-----w c:\program files\Pro Imaging Powertoys 2008-12-27 11:03 --------- d-----w c:\program files\Microsoft Calculator Plus 2008-12-27 11:03 --------- d-----w c:\program files\Java 2008-12-27 11:03 --------- d-----w c:\program files\Common Files\Java 2008-12-27 11:00 635,337 ----a-w c:\windows\system32\unins000.exe 2008-12-27 10:53 --------- d-----w c:\program files\Windows Media Connect 2 2008-12-27 10:52 --------- d-----w c:\program files\Reference Assemblies 2008-12-27 10:52 --------- d-----w c:\program files\MSBuild 2008-12-27 10:48 --------- d-----w c:\program files\HighMAT CD Writing Wizard 2008-12-27 10:43 --------- d-----w c:\program files\MSXML 6.0 2008-12-27 10:35 --------- d-----w c:\program files\SGJ 2008-12-27 10:18 --------- d-----w c:\program files\microsoft frontpage 2008-12-27 10:17 --------- d-----w c:\program files\Usługi online 2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys 2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll 2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll 2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll 2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll 2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll 2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll 2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe 2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll 2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll 2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll 2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll 2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll 2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll 2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll 2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll 2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll 2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll 2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll 2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll 2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe 2008-10-21 17:40 81,920 ----a-w c:\windows\system32\ATIODE.exe 2008-10-21 17:40 45,056 ----a-w c:\windows\system32\ATIODCLI.exe . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2005-09-15 1712128] "vamsoft"="c:\windows\system32\vamsoft.exe" [2008-12-28 115259] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-12-01 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168] "CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\gemmy\Menu Start\Programy\Autostart\ Brightness Controller.lnk - c:\program files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe [2002-06-15 69632] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312] R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-07-01 468224] *Newly Created Service* - PROCEXP90 . - - - - USUNIĘTO PUSTE WPISY - - - - HKLM-Run-NodLogin - c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe . ------- Skan uzupełniający ------- . FF - ProfilePath - c:\documents and settings\gemmy\Dane aplikacji\Mozilla\Firefox\Profiles\8uh0s3u1.default\ FF - component: c:\documents and settings\gemmy\Dane aplikacji\Mozilla\Firefox\Profiles\8uh0s3u1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-29 21:59:37 Windows 5.1.2600 Dodatek Service Pack 2 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(684) c:\windows\system32\Ati2evxx.dll . Czas ukończenia: 2008-12-29 21:59:58 ComboFix-quarantined-files.txt 2008-12-29 20:59:45 Przed: 26 210 185 216 bajtów wolnych Po: 26,260,291,584 bajtów wolnych WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 163 Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 30 Grudnia 2008 Zgłoś Opublikowano 30 Grudnia 2008 Utworz na pulpicie plik CFScript.txt, wklej do niego: File:: c:\windows\system32\vbsdfe1.dll c:\windows\system32\vamsoft.exe c:\windows\system32\vbsdfe0.dll Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vamsoft"=- Zapisz i przeciagnij go na ikone combofix.exe Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Gemmy Opublikowano 2 Stycznia 2009 Zgłoś Opublikowano 2 Stycznia 2009 (edytowane) Pieknie! ,do dnia dzisiejszego wszystko wydaje sie być w porządku,7 dniowa udreka zniknęła 8O .Dziekuje za pomoc ah za wcześnie sie ucieszyłem 8O wczoraj o 19 konto zawieszone,na 24h.Powód wirusy,trojany,i udostepnianie konta osobą trzecim-czyli taka notka standardowa Blizzarda. Problem rozwiązałem ,szybko i boleśnie ,przez usuniecie konta z WoW-em. Edytowane 3 Stycznia 2009 przez Gemmy Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...